Security – Page 32 – A Geek With Guns

Great Work Now Try Entering the Building

The enviro-nazis at Greenpeace are bragging about the fact they were able to hand signs on a reactor containment building in France. They claim this demonstrates a weakness of national security and, of course, demonstrates the dangers of nuclear power. Let’s take a look at what they actually accomplished:

Greenpeace activists secretly entered a French nuclear site before dawn and draped a banner reading “Coucou” and “Facile”, (meaning “Hey” and “Easy”) on its reactor containment building, to expose the vulnerability of atomic sites in the country.

Police, whom the environmental activist group immediately told of the publicity stunt, took several hours to round up nine intruders who had broken into the power plant in Nogent-sur-Seine, about 95km southeast of Paris, on Monday.

[…]

Activists who tried to enter three other French nuclear sites, in a co-ordinated action on the same day, were prevented from doing so, but Greenpeace said other invaders were still holed up inside other, unspecified, nuclear sites.

They had a 25% success rate, which isn’t terrible. Then again when you look at it all the activists accomplished was getting inside the fence surrounding the plant, they didn’t managed to enter the actual reactor containment building. Now the question is, what did they really accomplish? Not a heck of a lot honestly. Reactor containment buildings are heavily reinforced structures that are literally hardened against high explosives. You could probably stick 10 pounds of C4 onto a reactor containment building and accomplish little more than gouge the overly thick concrete that ensures a meltdown doesn’t end up being Chernobyl II (although if you do like the Japanese and try to prevent a properly melting down reactor form melting down containment will fail and you’ll have a radioactive mess on your hands).

Perhaps you could breech the containment building with a nuclear weapon but at that point I think the entire scenario is a giant moot point. Either way I doubt there is any man portable means of breeching containment of a reactor without gaining entry into the containment building so this entire stunt really proves nothing. If Greenpeace members could have gained entry into the reactor containment building then they would have a point to make.

Rioters are Severely Allergic to Shotgun Pellets

Don’t you hate it when roving marauders try to bust up your property and steal your stuff? Luckily there is a way to prevent this from happening by exploiting a well known rioter allergy, shotgun pellets:

“We had people who attempted to break into our building,” the landmark Rotunda Building on Frank Ogawa Plaza outside City Hall, Tagami said Thursday. He grabbed a shotgun that he usually keeps at home, went down to the ground floor and “discouraged them,” he said.

“I was standing there and they saw me there, and I lifted it – I didn’t point it – I just held it in my hands,” Tagami said. “And I just racked it, and they ran.”

Rioters are so severely allergic to shotgun pellets just the sight of a shotgun will often send them running in fear. Trying to be ballsy the rioters did do some graffiti work on the outside of the building:

Although they didn’t get inside the building – Tagami, 46, oversaw its $50 million renovation and has an office there – vandals did scrawl graffiti on the outside walls during the post-midnight riot that broke out after Occupy Oakland’s daylong general strike.

I’m sure this could have been solved by placing a few people with shotguns around the outside of the build though.

While I make light of the situation the story does bring up a example of why having a means of self-defense is a good thing. Although I don’t advocate the possession of firearms as a mere deterrent the fact of the matter is an assailant is less likely to attack you or yours if they know you’re in possession of a firearm. As the economy continues to crumble the rate of crime, both violent and property, is likely to increase. Knowing this I think it’s a good idea to obtain a means of self-defense less things turn to total shit in your area and you remain completely unarmed as rioters decide your home or business is a good target for looting.

A Trojan that Generates Bitcoins

It was bound to happen eventually but a trojan is now circulating for OS X that syphons a victims computing power and uses it to mine Bitcoins:

“This malware is complex, and performs many operations,” security researchers from Mac antivirus vendor Intego warned. “It is a combination of several types of malware: It is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers,” they explained.

The Bitcoin mining program that DevilRobber installs on infected computers is called DiabloMiner and is a legitimate Java-based application used in the virtual currency’s production.

The one flaw in this trojan (besides requiring manual intervention by a user to get installed) is using a Java-based application to perform Bitcoin mining. Mac OS 10.7 doesn’t include Java by default and the user must manually install it if they want to run Java applications. While a prompt will appear asking the user if they want to install Java when they try to use a Java applet those are fairly uncommon at this point so the chances of a user running 10.7 having Java installed is actually pretty low.

Still the application appears to also seek out and steal Bitcoin wallets. I’m rather shocked that we didn’t see this kind of trojan come to the attention of network security sites before now. When I first looked into Bitcoin one of the first ideas that popped into my malicious thought filled head was how easy it would be to use a massive botnet to mine a great number of Bitcoins.

This is Why I Run My Own Cloud

With all the talk about cloud computing I finally decided to build my own cloud. I’m rocking in the cloud without relying on third-party solutions and absolutely loving it. What finally coaxed me into moving everything onto my own infrastructure was the ever increasing powers government officials have been claiming in the realm of data acquisition. The federal government can send a letter out to a company and demand information about a customer be turned over. While the government has been able to exercise similar powers in the past through acquisition of a warrant they weren’t able to force the target company to keep the request for information secret like they can today. Well it seems Google and Sonic were targets of a recent federal fishing expedition:

The U.S. government has obtained a controversial type of secret court order to force Google Inc. and small Internet provider Sonic.net Inc. to turn over information from the email accounts of WikiLeaks volunteer Jacob Appelbaum, according to documents reviewed by The Wall Street Journal.

[…]

Both Google and Sonic pressed for the right to inform Mr. Appelbaum of the secret court orders, according to people familiar with the investigation. Google declined to comment. Mr. Appelbaum, 28 years old, hasn’t been charged with wrongdoing.

As we’re hearing about this story it seems that Google and Sonic were successful in fighting the government demand of secrecy, this isn’t always the case though. The government very well could have obtained information about you from a company and you’ll never know unless they decided to move in and arrest you. If the government wants my data they’re going to have to send me one of those secret letters thus ensuring I know they’re spying on me.

The only way you can guarantee your data remains under your control is if you exercise complete control over it. If you store your data on a third-party service there is no way you can know other people don’t have access to it.

Chaos Computer Club Claims to have Cracked Spying Software Used by the German Government

It seems the American government doesn’t have a monopoly on illegally spying on its citizens. The Chaos Computer Club claims to have crack malicious software used by the German government to illegally spy on its citizens:

It sounds like something out of George Orwell’s novel “1984” — a computer program that can remotely control someone’s computer without their knowledge, search its complete contents and use it to conduct audio-visual surveillance via the microphone or webcam.

But the spy software that the famous German hacker organization Chaos Computer Club has obtained is not used by criminals looking to steal credit-card data or send spam e-mails. If the CCC is to be believed, the so-called “Trojan horse” software was used by German authorities. The case has already triggered a political shockwave in the country and could have far-reaching consequences.

On Saturday, the CCC announced that it had been given hard drives containing a “state spying software” which had allegedly been used by German investigators to carry out surveillance of Internet communication.

As you can guess this news didn’t surprise me (just once I’d like a government to surprise me by not actually being up to anything nefarious) but I do find it interesting that the software allows the controller to remotely control the target’s computer. Such a feature seems like a potential court defense since somebody whose machine was infected with the software could claim that the police are framing him. Then again the state runs the courts and the police so it’s unlikely any judge would be willing to throw a case out because his fellow state agents were doing something naughty. That isn’t even the worst part though, the software also demonstrates that a state can’t actually do anything with any measurable amount of competency:

The organization had analyzed the software and found it to be full of defects. They also found that it transmitted information via a server located in the US. As well as its surveillance functions, it could be used to plant files on an individual’s computer. It was also not sufficiently protected, so that third parties with the necessary technical skills could hijack the Trojan horse’s functions for their own ends. The software possibly violated German law, the organization said.

Nice, not only does the software allow a third-party to remotely control the system but it’s also full of security holes so any jackass on the Internet could waltz right in. Security flaws is ultimately the reason I don’t believe any evidence gathered from software of this nature should be admissible in court. Anytime you install a new piece of software you face possible security issues that could allow a third-party to gain remote access to your system. If state agents infect your machine with this software and a third-party uses a security flaw in the software to access your machine and perform illegal acts it’s most likely the state is going to target you because they already suspect you’re up to something they don’t approve of.

I also find the fact that the software transmits data to server in the United States interesting. This could be a barrier put into place so the gathered evidence lies outside of German jurisdiction (for instance if the software is discovered and the state decides to perform an investigation into what was gathered). Another possible reason for sending data to the United States could be due to some secret agreement between the two country’s governments regarding intelligence sharing. Of course it could just be due to the software manufacturer being a United States company and the software is transmitting quality assurance data.

Either way this story should demonstrate the fact that agents of the state can never be trusted. Software such as this is supposed to be illegal according to German law:

If the CCC’s claims are true, then the software has functions which were expressly forbidden by Germany’s highest court, the Federal Constitutional Court, in a landmark 2008 ruling which significantly restricted what was allowed in terms of online surveillance. The court also specified that online spying was only permissible if there was concrete evidence of danger to individuals or society.

When has a state complied with its own ruling though? While I hope the information being presented by the Chaos Computer Club is incorrect I honestly trust a group of hackers far more than any government.

Why Controlling Your Personal Information is So Important

Many people have a lackluster attitude towards control of their private information. When the fact that companies maintain a great amount of details about their customers is mentioned people will often cite laws forcing those companies to protect that information. Those laws may make you feel nice and all but what do you do when the company goes bankrupt? That’s the concern facing former Borders customers right now:

To perhaps to no one’s surprise, Borders bookstore collected a ton of consumer information – such as personal data including records of particular book and video sales – during its normal course of business. Such personal information Borders promised never to share without consumer consent. But now that the company is being sold off as part of its bankruptcy filing, all privacy promises are off.

Reuters wrote this week that Barnes & Noble, which paid almost $14 million for Borders intellectual assets including customer information at auction last week, said it should not have to comply with certain customer privacy standards recommended by a third-party ombudsman. In court papers, Barnes & Noble said that its own privacy standards are sufficient to protect the privacy of customers whose information it won during the auction.

Sure the company that currently holds your private information may be magnanimous but what about the next holder of that information? Concerns such as this should be at the top of everybody’s list as personal information of any sort is valuable both for good and bad guys. If you believe any personal information held by companies about yourself is unimportant you’re simply not creative enough.

The Free Market in Action

A short while back DigiNotar, a Dutch certificate authority, was hacked and their signing certificates were stolen. This lead to incidents where hackers were able to create certificates for any website they chose and those certificates would appear to be valid to every major web browser. For instance a phiser could create a site and the web browser would see the certificate and say it was valid as it was signed by DigiNotar, a trusted certificate authority.

DigiNotar’s business is literally trust so their reputation is everything. Unless people can trust that websites whose certificates were signed by DigiNotar are who they claim to be DigiNotar has no business. Well people can no longer trust certificates signed by DigiNotar and now they’re filing for bankruptcy:

DigiNotar, the Dutch certificate authority (CA) which was recently at the centre of a significant hacking case, has been declared bankrupt.

This is the free market in action. People trusted DigiNotar and DigiNotar failed to uphold that trust so people are no longer willing to do business with that company. As one of the entities DigiNotar’s failure negatively affected was the Dutch government it’s unlikely the company will receive any kind of bailout or otherwise be artificially propped up meaning this is a rare case where we get to see how the free market actually works.

Overblown Security Statements

There have been several stories floating around the web about a recent security flaw in OS X 10.7 that allows a user to change the password of another user without knowing that user’s current password. Although there is a security flaw related to passwords on OS X 10.7 it’s not nearly as severe as many websites are making it out to be.

An overview of the flaw can be found here. In summary the flaw is related to the Director Services command for reading and changing passwords. By entering the following command you can get the shadow hash of any user’s password:

dscl localhost -read /Search/Users/[user]

The value [user] should be replaced with the short name of a user who’s shadow hash you want to obtain. This is a rather serious flaw as there are scripts that can crack shadow has password (in fact one is available on the linked site for OS X 10.7). The other part of this flaw involves changing users’ passwords using the following command:

$ dscl localhost -passwd /Search/Users/[user]

Once again you replace the value of [user] with the system short name of the user whose password you want to change. What most articles I’ve seen regarding this flaw have claimed is that this command allows you to change another user’s password without knowing their current one. This is incorrect as the command requires you to enter the user’s current password before changing it. What this command does allow you to do is change the currently logged in user’s password without knowing their current one. Once again this is a rather serious security flaw but not nearly as severe as many are making it out to be.

I’m not trying to defend Apple here as they royally fucked up by allowing users to grab other users’ shadow hashes. They also fucked up be allowing somebody besides a directory administrator to change a currently logged in user’s password without entering their current one. But this flaw requires one major thing, access to a currently logged in user account. In most cases this means you must have physical access to the machine in which case all bets are off as far as security is concerned (it’s generally accepted that once an attacker has physical access to a target machine it’s game over).

The important question you should be asking right now is how can you defend against this? It’s simple, don’t leave you machine logged in when you’re not around. You should have a password set on your account (if you don’t you have no means of preventing unauthorized access anyways) and the account should be set to require a password immediately after locking the screen. When you walk away from you machine lock the screen (the keyboard shortcut on OS X is control + shift + eject). Remote access shouldn’t be a concern as it requires a remote user to know the user name and password of somebody on the system already (in which point this flaw matters not as they could change the password for the account they known the credential for).

Finally this flaw allows an unauthorized user to change the password of a currently logged in user without knowing that user’s current password but it does not allow that unauthorized user to change the currently logged in user’s keychain password. This means the password, certificates, and notes stored in the keychain will remain encrypted and out of reach unless the unauthorized user is able to crack the user’s shadow hash (in which case they have the password to unlock the user’s keychain).

If you need to give other users access to use your machine it would be smart to create a separate account for them and use the parental controls to prevent access to all applications they do not need (especially Terminal in this case). This isn’t bulletproof by any means but it’s an extra layer of security that should be done anyways.

Every Money Making Idea Carries Its Share of Risks

Entrepreneurship is a great thing and everybody should be looking for ways to make money off of what they already have available to them. Saying that it’s also important to know the risks of any money making strategy you come up with because sometimes the risks are much higher than the potential money to be made off of the venture. There is a new site that I’ve not heard of before called Airbnb that allow you to post up your place of residence and rent it to those who’ll be in the area for a short while (I think it’s aimed at people on vacation). It seems like an easy way to make money but anybody with two brain cells to rub together could figure out one giant risk involved, you’ll let people into your home which can have some major consequences as one person found out:

The facts: Last month “EJ” wrote a long blog post about how a renter spent an entire week carefully robbing and trashing her home. Walls were cut through to get to locked valuables, including her grandmother’s jewelry.

If somebody is going to be in your place when you’re not there there’s always a risk of your place ending up trashed, robbed, or both. This is a risk landlord, hotels, and motel owners have to deal with constantly. Many people lack any respect for the property of others and are more than happy to destroy or outright take it (for example, it’s the statist standard operating procedure).

Landlords, hotels, and motels attempt to alleviate this problem through insurance, verifying the identities of clients, and through a means of obtaining payment to cover damaged before they happen. In the case of landlords they usually required a security deposit which is returned to the client when they leave so long as nothing has been damaged. In the case of hotels and motels they usually require a credit card on file which they will charge any room damage or theft to.

Airbnb is a slightly different beast as they keep both parties in the deal anonymous until money has traded hands. This means until a client has actually paid for the use of the property the property owner is unable to perform actions like background checks or identify verification. This also generates a risk for the client as they may arrive only to discover the property isn’t there, the property that is there doesn’t belong to the owner, or that the place isn’t as advertised. Airbnb’s plan to alleviate these potential problems lies in their user ratings, but as the service is new there are few user ratings to go off of leading those interested in the service running blind.

Personally I find the prospect of renting my dwelling to another to carry a higher risk than the reward would be worth (especially since I’m renting and thus would be subleasing which in turn would be a violation of my lease). Others obviously think differently otherwise Airbnb wouldn’t be around at the moment. But the thing to note here is that there is no such thing as risk-free money (unless you’re the government, stealing from people is pretty risk free when you have a monopoly on the use of force). If you figure out a plan to make money make sure you understand the potential cost of the involved risks. Losing $100.00 because you loaned somebody money and they never repaid you isn’t life or death for many people but many will be unable to recover from the loss involved in having their entire home destroyed and much of their property stolen.

The Coolest Flying Drone Out There

What if I told you there was an unmanned drone that was developed to fly around, sniff Wi-Fi networks, and eavesdrop on GSM phone conversations? You’d probably get angry and yet another device developed by Motherland Homeland Security to spy on the citizens of the United States. In this case your rage would be misdirected because this drone was developed by a private individual trying to raise awareness of the poor security found on many Wi-Fi and all GSM networks:

At the Black Hat and Defcon security conferences in Las Vegas next week, Mike Tassey and Richard Perkins plan to show the crowd of hackers a year’s worth of progress on their Wireless Aerial Surveillace Platform, or WASP, the second year Tassey and Perkins have displayed the 14-pound, six-foot long, six-foot wingspan unmanned aerial vehicle. The WASP, built from a retired Army target drone converted from a gasoline engine to electric batteries, is equipped with an HD camera, a cigarette-pack sized on-board Linux computer packed with network-hacking tools including the BackTrack testing toolset and a custom-built 340 million word dictionary for brute-force guessing of passwords, and eleven antennae.

“This is like Black Hat’s greatest hits,” Tassey says. “And it flies.”

On top of cracking wifi networks, the upgraded WASP now also performs a new trick: impersonating the GSM cell phone towers used by AT&T and T-Mobile to trick phones into connecting to the plane’s antenna rather than their carrier, allowing the drone to record conversations and text messages on a32 gigabytes of storage

How fucking cool (and scary) is that? Truth be told the security on many devices that we commonly use today is completely nonexistent. Last year there was a demonstration at Defcon showing that it’s very possible for an average person to get the equipment necessary to spy on people using GSM phones (CDMA, as far as I know, is still safe from non-government snoopers).